Issue Description: We are experiencing MDM profile installation failures specifically on iPhone 17 devices. After extensive testing and comparison between affected and working devices, we suspect this appears to be a parameter transmission error rather than device settings. Technical Analysis: Device Settings Comparison: No differences found between problematic and working devices in system settings, indicating this is not a configuration issue. Suspected Parameter Transmission Error: • Device model information appears to be restricted or blocked during profile download • User ID and phone number parameters are not being transmitted to the server • Installation logs show missing login ID and phone number entries Symptoms: • During MDM profile installation, the "Apps & Restrictions" section that should appear is missing • Profile download parameters are suspected to not be properly transmitted to the server • Installation process fails at the profile configuration stage Critical Finding: When we cloned a previously working device to create a problematic device configuration, the cloned device also began experiencing the same installation failures. This strongly suggests the issue is related to device-specific parameters or identifiers. Additional Information: We continue to receive reports of this issue from our iPhone 17 users, and these reports are occurring across various iOS versions. Request for Assistance: Has anyone encountered similar MDM profile installation issues on iPhone 17? Are there known limitations or changes in how device parameters are transmitted during MDM enrollment on this model? Any guidance on debugging parameter transmission or known workarounds would be greatly appreciated.

On iOS 26, if in "Single App Mode", the device gets stuck on the lock screen. Devices are configured in SAM (kiosk mode), without a PIN requirement. Since updating to iPadOS 26, every single device that locks (goes to sleep) becomes completely unresponsive at the lock screen. Touch input does not work. The only way to regain access is to reboot the device, which will boot to the SAM app, but then lock again if it goes to sleep. Related discussion in the public forums.

Hi, I am trying to enable declarative management on my device ( it is already enrolled as a sharedIpad with DEP). When sendind the command, the device's response contains an error. It is not acknowledged. Either on the device channel or on the user channel. The device channel returns : 'ErrorChain': [{'ErrorCode': 4, 'ErrorDomain': 'RMErrorDomain', 'LocalizedDescription': 'Feature Disabled: Device Channel.'}], 'Status': 'Error', and the user channel returns : 'ErrorChain': [{'ErrorCode': 12021, 'ErrorDomain': 'MDMErrorDomain', 'LocalizedDescription': '“DeclarativeManagement” is not a valid request type.', 'USEnglishDescription': '“DeclarativeManagement” is not a valid request type.'}], 'Status': 'Error', Does DEP device support declarative management? Thanks.

Is there a way to check in code if a device is under Mobile Device Management? We want to show the users a different screen in the app if it is under device management. This is primarily for devices under Apple School Manager or something similar

out of 37 devices, 7 are inactive( al are ios ). We have checked one of the devices and the broadcast message was sent successful. Additionally, Cx confirmed that the location history is shown properly. We restarted the device, checked the date and time, and found it to be correct. We also switched to a different network, but that doesn't change anything. The sync from the Hexnode app was successful. We reinstalled the MDM profile, yet it doesn't change anything. We renewed the APNs once and checked, but the scan device action remains pending.

中文： 大家好，我通过https://mdmenrollment.apple.com/session获取到了auth_session_token，并能正常使用device/activationlock、devices、profile/devices这些接口，但是不能正常使用devices/disown（https://mdmenrollment.apple.com/devices/disown）这个接口，接口返回401 UNAUTHORIZED，请问应该怎么处理？ English： Hi, I have passed https://mdmenrollment.apple.com/session Obtained auth_dession_token and can use interfaces such as device/activationlock, devices, and profile/devices normally, but cannot use devices/disown normally（ https://mdmenrollment.apple.com/devices/disown ）How should I handle this interface, which returns 401 UNAUTORIZE?

Hi, I have a question regarding reading the configuration of a managed app deployed via an MDM system. The application has an Action Extension and can receive shared files via this extension. The problem I am facing is that I can read the managed configuration in the host app by accessing the UserDefaults.standard.object(forKey: "com.apple.configuration.managed") dictionary. With this, I can configure the host app. However, I am unable to read this configuration key in the Action Extension part of the application. My question is whether there is any possibility to read the managed configuration even in the extension. So far, I have been unable to figure out how to read it. I found the sample code, but it was not very helpful since it is very basic and does not deal with extensions at all. Any hints are appreciated.

When the user pushed the lock device action on a macOS 14, it returned an acknowledgement but the device wasn't locked. Which resulted in loss of data on the device.

There could be a case where-in multiple transparent proxies might exist in the system (for ex., Cisco AnyConnect, GlobalProtect, etc). We want to know if there is a way to order transparent proxies so that the desired transparent proxy gets the request first. During our research, we found a resource which talks about ordering transparent proxies through MDM. https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy Using this reference, we tried to create a profile and push it through JAMF. Below is the profile that we created and pushed with JAMF. Property List - <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>TransparentProxy</key> <array> <dict> <key>ProviderBundleIdentifier</key> <string>com.paloaltonetworks.GlobalProtect.client.extension</string> <key>Order</key> <string>1</string> </dict> <dict> <key>ProviderBundleIdentifier</key> <string>com.cisco.anyconnect.macos.acsockext</string> <key>Order</key> <string>2</string> </dict> <dict> <key>ProviderBundleIdentifier</key> <string>com.mydomain.transparentproxy</string> <key>Order</key> <string>3</string> </dict> </array> We are not sure if this is the right way to create the profile, though JAMF is not throwing any error while pushing this profile. We see this profile on the local machine as "/Library/Managed Preferences/com.apple.networking.vpn-transparent-list.plist". Is there a way to know if the profile took effect and the order of transparent proxies has changed. Thanks in advance.

I'm reaching out to discuss a significant issue related to how iOS handles app login sessions, particularly in the context of MDM (Mobile Device Management) and the Outlook app. In our organization, we use MDM to distribute applications, including Outlook, with certificate-based authentication for BYOD (Bring Your Own Device) devices. This setup allows users to log in seamlessly to their accounts. However, we've encountered a concerning behavior: when a user unenrolls from MDM, which automatically removes the distributed apps and certificates, they can later reinstall the app from the App Store and find themselves automatically logged back into their previous accounts without any authentication prompts. Here’s a detailed breakdown of the situation: Initial Installation: Users enroll their devices in MDM, which installs the necessary apps and certificates on those devices. Session Storage: After the initial login, the app stores the session locally on the device. App Deletion: When users un enroll their devices from MDM, it automatically removes the distributed apps and certificates. Reinstallation: Days or weeks later, when they reinstall the Outlook app from the App Store, they find themselves automatically logged back into their accounts. This behavior raises important concerns: Lack of Authentication: The app retaining user sessions even after deletion allows users to access their accounts without re-authentication, which could lead to potential unauthorized access and undermines the effectiveness of certificate-based authentication and two-factor authentication (2FA). Note: This issue is not limited to Outlook; we've observed similar behavior with many other apps. Need for a Solution - Given the implications of this behavior, we are looking for effective solutions to prevent it. Specifically, we need options within the MDM framework to: Restrict Session Retention: Implement settings that ensure any app deleted via MDM will lose all stored sessions and require re-authentication upon reinstallation. Default Settings for MDM-Distributed Apps: Ideally, this would be a default feature for all apps distributed through MDM, ensuring that user sessions are not retained after app deletion. Has anyone else experienced this issue? Are there any existing settings or workarounds within MDM platforms to mitigate this problem? Your insights and experiences would be invaluable as we navigate this challenge. Thank you!

I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child. Here’s what I’d like to achieve: App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones. Time Limits: Set daily usage limits for individual apps or app categories. Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps. Remote Management: Manage these settings remotely from my device for added convenience. Activity Monitoring: View app usage stats or receive alerts for policy violations. I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations. I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on: Enrolling a personal or family-owned device into Apple Business Manager. Linking an MDM for configuring app restrictions and monitoring usage. Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations! Thanks in advance for your insights!

We provide a MDM product. In our product, payloads and properties which require supervision display those requirements. Two properties forcePreserveESIMOnErase and allowWebDistributionAppInstallation of the restriction payload don’t require a supervised device according to the descriptions in Apple Developer Documentation. However, in our observation, those properties seem to require it. Are those OS bugs or documentation errors? (In which category should I submit a feedback?) Steps to reproduce Prepare a supervised device (I used an iPhone 12 mini with iOS 18.1) and a configuration profile contains the following restrictions: <!-- Does not require a supervised device --> <key>allowDiagnosticSubmission</key> <false/> <!-- Requires a supervised device --> <key>allowESIMModification</key> <false/> <!-- Does not require a supervised device according to its description --> <key>allowWebDistributionAppInstallation</key> <false/> <!-- Does not require a supervised device according to its description --> <key>forcePreserveESIMOnErase</key> <true/> Then, Install the profile with Apple Configurator. Confirm 4 restrictions are shown in Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions. Punch Settings > General > Transfer or Reset iPhone > Erase All Content and Settings, to unsupervise. Install the profile with Apple Configurator. It cannot be installed automatically because the device was not supervised. Manually install the downloaded profile. Check Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions. Expected results 3 restrictions—allowDiagnosticSubmission, allowWebDistributionAppInstallation and forcePreserveESIMOnErase—are shown. Actual results Only one restriction—allowDiagnosticSubmission—is shown. Appendix: Restriction keys and their restricted message shown in Settings allowESIMModification: eSIM modification not allowed forcePreserveESIMOnErase: Preserve eSIM on erase enforced allowWebDistributionAppInstallation: Web app distribution not allowed allowDiagnosticSubmission: Diagnostic submission not allowed

Would it be possible to prevent deletion of specific apps on iOS devices using MDM.

We have a development where we are MDM managing iOS devices and attempting to enforce mutual TLS for all interactions with the MDM. We are DEP provisionng an enrolment profile that utilises an ACME hardware attested Device Identity Certificate. All interactions with the MDM endpoints are correctly utilising the ACME certificate for the client mutual TLS handshake. The certificate has Client Authentication Extended Key Usage. Behind the same API gateway and on the same SNI we are also serving paths to Enterprise application manifests and IPAs. We can see from the phone log and from packet traces the iOS device doesn't offer the Device Identity Certificate for client authentication when retrieving these URLs. We have also tried adding non ACME client certificates from the root trusted by the server to the initial profile with exactly the same outcome. If we temporarily disable the mutualTLS we can see that the request for the manifest has a userAgent of "com.apple.appstored/1.0 iOS/18.2 model/iPhone17,3 hwp/t8140 build/22C5125e (6; dt:329) AMS/1" which is not the same as the mdm interactions. Is it actually possible to achieve mutualTLS to authenticate these downloads or is a different solution required ? Any advice greatly appreciated.

Ref- https://support.apple.com/en-in/guide/deployment/dep3b4cf515/web When we deploy an Payload with identifier "com.apple.airprint" , It will add the deployed printer configurations to printers list in mac. Which additionally needs the mac user to add it from Settings -> Printers -> Add Printer -> (Deployed Printer Configuration will be listed here) Select the printer -> Click Add . Screenshot where user need to add it manually after profile association is attached below. Now the Printer is available to be used ,when an share option in any document is clicked. Why this flow requires multiple to and fro. Can it be able to deploy the printer straight to Printers available List instead of manually adding from the above screenshot

On devices running iOS 18+, when a web app kiosk policy is pushed via an MDM and the device is restarted. The touch screen doesn't respond on the device. So the device is currently in a brick state. Since we can't enter the password we can't get the logs from the device and it is even hard to recover the device. On restart the device isn't connecting to the internet so it isn't possible to remove the kiosk policy as well. This only happens on devices running iOS 18+ and with web app kiosk profile.

I have private certificate authority. Root &gt; Intermediate &gt; Leaf. When I install the Root Certificate, it shows in Settings &gt; General &gt; About &gt; Certificate Trust Settings in iOS 18.1.1 However, when I install the Intermediate Certificate (including the CA Bundle), the Intermediate CA Certificate is not shown in the Certificate Trust Settings. All my leaf certificates are issued by the Intermediate CA. Is this a bug? If not, how can this be solved? TIA!

When clicking Upload for the CSR file, there is no APNS certificate available for download. Instead, the portal redirects to https://www.apple.com/filenotfound MDM Push Certificates are critical for the operation of managed devices, if they expire, all devices will have to be reenrolled creating a catastrophic event for all the customers devices. Please review and given how critical this service for renewing certificates is for your customers, please also make sure it is always available without downtimes. Let me know if you need more details, Thank you, Sergio

I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see, The "valid" value is always "unknown" at ""identifier" : "com.example.act", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug this bug .

I have 5-6 mac minis connected to my windows server 2022 and the accounts that connect to the mac are network account. How do I block the network users from accessing or using certain apps like terminal and passwords?